Security guru Bruce Schneier says there's a kind of cold war now being waged in cyberspace, only the trouble is we don't always know who we're waging it against.
Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security …

Re: We have met the enemy...

You may have met your enemy, but I'm still waiting to meet the dingbat(s) who pretended Java was realtime, performant, secure, or indeed "write once, run anywhere." When said parties are met (and dealt with), we may rest briefly, safe in the knowledge of what has been done, before resuming with the advancement of mankind.

Re: We have met the enemy...

> You may have met your enemy, but I'm still waiting to meet the dingbat(s) who pretended Java was realtime, performant, secure, or indeed "write once, run anywhere." When said parties are met (and dealt with), we may rest briefly, safe in the knowledge of what has been done, before resuming with the advancement of mankind.

Oh look, it's yet another poster who doesn't know the difference between enterprise Java and applets from 15 years ago. Yeah if you run Java on the client side and install it from the GUI like some rube then you're going to get the Ask toolbar. At least in Java, strings are a first-class object. Meanwhile in the 21st century, all the so-called REAL programmers using C and C++ still fail to do basic bounds checking on their strings and then shrug as the stack gets smashed.

Re: We have met the enemy...

We, collectively, are the reason for this because we are happy to accept shitty software because it is shiny and new (e.g. Android) or the established model (e.g. Windows) and we want everything Internet-connected for convenience and to save a little money on not having to make trips to physically visit important sites.

While some nation state attacks have shown the ability to jump air-gaps using infected USB sticks, etc, the vast majority rely on the simple fact that we put critical stuff on the same machines and networks as we use for external access (web, email) and then get surprised when we find our OS, software and firmware in routers, etc, is full of holes that let the two leak.

Convenience trumps security, and so far we have not had anything big enough go wrong for the law to come down and enforce stricter practice.

And of course, IT is only just at the the stage of "In the Beginning" with Global Operating Devices

In a "cyberwarfare" situation, IT's top knowledgable individuals are going to hold a lot of power, that we don't necessarily want or need - what will we do with it?.... 1980s_coder

Pool it all wisely with others anonymously of the same ilk, 1980s_coder, will extraordinarily render IT a practical and virtually impregnable intelligent foe in the command and control and hands, hearts and minds of absolutely fabulous friends. And the power of those spontaneous unions rises exponentially rather than linearly thus to make just a few extremely quickly, all too powerful to fail.

Re: And of course....

I've missed you of late, amfM1. Perfectly on point. Still, there is the problem of separating the fellow travellers from both the agents of the state and agent-provacateurs who can (and will) be working for any (or several) number of groups.

In any case, should cyber-armaggedon arrive, I'll start cracking open my secure containers. I'd advise being off the net.

Re: @1980s_coder

I think Schneier was mixing with generals and politicians a bit too much lately. All that talk about nation states, military and police... "Cyber-enemy" is border-less. And the defence ought to be border-less. And actually, it already is, in case not everyone noticed. Attempt to bring in national interests and national forces to the discussion is just a desperate attempt by the said generals and politicians to stay relevant.

”Unfortunately, we're in the early years of a cyber arms race. We're seeing a lot of stockpiling cyber weapons, both by the United States and Western countries ... by China, Russia, other countries. A lot of rhetoric about cyberwar," Schneier said. "What concerns me is that we're all going to be in the blast radius."

Methinks the major primary concern is for those others who are unfortunate enough to believe that they have remote command and control of markets and systems/assets and programs via the gift of indiscriminate wealth/electronic money supply with the facility for its spontaneous disappearance and bailings in for bailings out of corrupted systems.

You might like to consider, Bruce, in the light of what is known and what you may know about such clumsy command and control systems, that is no bad thing at all and much to be lauded and welcomed for a change of global execution in the right direction for a better alternative way of powering and EMPowering things and the Internet of Things. There a lot going on out there in the Virgin Fields Place of HyperRadioProActive CyberSpace with ITs Deep Pools and Dark Webs of Enlightened Existence and IMPractical Resistance

The bigger danger for both parties is that Trump reminds people how little their votes really mean. This can only add to the widespread frustration that is beginning to boil over. Trump is accelerating a process that was already underway. We may not like the consequences. ….. Philippe Gastonne

Surely the much bigger worry and unfolding opportunity, Philippe, is that they, rather than we, will not like the consequences and thus they think to terrorise with media and with all sorts of news which seeks to show chaos everywhere else but in their neck of the woods. It isn’t working though any more, and now they are desperately seeking safe harbour in a world with worlds which present nowhere to hide and no immunity and protection from increasingly better informed and super active mobs/bots/clones/drones, both real and virtualised.

And to deny and/or disbelieve it be so, affords and presents an immaculate stealth and perfect defence to all adept APT and ACTive virtual attack forces and sources. And whenever forewarned is forearmed, is the wrong choice of future direction and desperate action and reaction, a direct reflection and indication of a distinct lack of greater necessary intelligence and information in that which is so unfortunate to delude and place itself front and centre and leading into in harm's way.

It isn’t working though any more, and now they are desperately seeking safe harbour in a world with worlds which present nowhere to hide and no immunity and protection from increasingly better informed and super active mobs/bots/clones/drones, both real and virtualised.

Oh, they get their vulnerabilities to attacks on their wealth (Ukrainian news services hack), prestige/position (any number of attacks revealing elites behaving badly), power (bringing down pet politicians, media attack dogs, &c.). We, the technically "able-bodied" must be contained and since being self-taught is common in IT, everyone must be monitored. To them, we are the potential terrorists, ISIS/ISIL, al Quaida, the Taliban, Boko Haram, not so much. After all a drone strike or nine, no problem.

What's concerning, at least to my personal health, is our Administration declaring US citizens as valid targets without a legal (farcical) proceeding for a drone strike. And yes, I am thinking hard around that problem.

Operating systems, like Microsoft Windows, coming out of the box, before any software updates, with no vulnerabilities whatsoever.

How can something so complex as a large operating system, with all the features they have now, be written without a single bug - or, rather, a single oversight, since this is not about programs failing to do what is expected with correct input, but about opportunities to exploit invalid input?

Especially given that checking all input for correctness makes programs a lot slower and more complicated.

New approaches are needed. I think security is not actually as difficult a problem as getting massively parallel computers to do as much useful work as a uniprocessor the same number of times faster as the number of processors running in parallel. But that could just mean it's extremely difficult instead of impossible.

Time for the old truism

Knowledge is power. For years the powers have been plotting to turn the internet into a domain for war, they've just been lacking the talent. I suspect anyone who makes an effort of dumbing down penetration testing tools, slapping some idiotproof front-end on it and packaging it as an Android app could make a pretty penny marketing it to the sort of folks that push jarheads around a map.

Re: It's funny...

If things were only that simple .........

Administrations which realise the overwhelming powers which virtual command and controls offer, but which would ignore and try to deny the exercise of a more equitable program of realities with a smarter meritocracy, in favour of their retention of an oppressive status quo oligarchy, will find it impossible to function and preserve an immunity from punitive action/reaction/proaction whenever the simply complex offers made to them for a better resolution regarding the conundrum they are experiencing, and which they might choose unwisely to ignore and/or oppose, are made freely available for all to see/read/hear everywhere and anywhere.

The problem they, current exclusive executive administrative systems face, is not the spilling of secrets which they would know and hold dear, but the secrets which others who might prefer to ensure they remain relatively unknown, have discovered and would share and which render all regular traditional and irregular conventional former defences and attack protocols, null and void/absolutely useless and very revealing of self-serving hidden selfish motive.

Methinks enlightened mobs will deal fiercely with that which be no better than ignorant fools in the practice of such arrogant follies.

Re: If things were only that simple .........

Oh, and furthermore, purveyors and guardians of that aforementioned problem for dodgy systems administrations can easily sell and be thought to be bought for their wares or even be handsomely provided with everything they may ever have dreamed of to keep schtum for a while just for now.

Such a sweet prize are such surprises, and just desserts for rabid capitalists anywhere and everywhere.

Empty playbook

Security in cyber domain is considered as an integral part of National and Alliances´ security nowadays. Today, more than 100 of the world’s militaries have some sort of organization in place for cyberwarfare and over 40 countries worldwide have published their National Cyber Strategy. Cyber threats are also prioritized in many countries´ national threat assessments. For example the latest worldwide threat assessment of the US Intelligence Community states that cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact, and Security Strategy of the Czech Republic emphasizes how cyber attacks can cause particular failures of communication, energy and transport networks, transport processes and industrial and financial systems, resulting in considerable material damage. In short, the danger of disruptive and even destructive cyber-attack is estimated to be grown.

The debate on both the impacts of cyber attacks and how to response to attacks is active but precedents are missing. Strategies and political speeches are always (at least partially) declaratory and vague by nature, and beyond these declarations the practical reality of cyber security as a matter of national security issue is difficult. Obtaining reliable attribution is one of the most frustrating aspects of cyber, deterrence is hard to establish, and because there are no international treaties or norms about how to use digital weapons, there are no rules about how to fight cyber conflict. Also defensive, intelligence or offensive cyber capabilities are difficult to assess, because governments are holding their abilities very secret, and cyber capabilities cannot be calculated in the same way as tanks or fighter planes.

The Sony Pictures Entertainment case indicated well how it is difficult to even decide if cyber attack should have been called “cyber vandalism”, “act of war” or “cyber terrorism.” It has to be also kept in mind that we are already living in so digital dependent world that a technical glitch can halt trading in New York Stock Exchange and force all flights of the United Airlines to be grounded – on the same day. It is not only the question of national security and how governments should protect private companies, but also how attacked companies are able to deal with cyber attacks. CEO of the Sony Picture Entertainment Michael Lynton has summarized the current challenge well: "There's no playbook for this, so you are in essence trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of experiences you've had in the past or other peoples' experiences. You're on completely new ground."

Cyber security has evolved from a technical discipline to a strategic concept and conflict in the fifth domain of cyberspace blurs and perhaps enlarges the definition of “war,” to encompass espionage, sabotage, opinion influencing, and intellectual property theft. It gives nations and non-state actors new ways to pursue their political goals on the world’s chessboard. This new theater of operations, where nations must operate proficiently to keep pace with their adversaries, has no military antecedents since there have been no wars between first-class militaries in the cyber era. We are entering a dangerously unstable and suspicious era, and we are doing so without a roadmap of tested command and control fundamentals. The more ominous cyber capabilities grow, the more troubling are the command and control knowledge gaps. There is a great deal still to understand about the escalation patterns and ripple consequences of cyber war, particularly where aggression is likely to cross spheres from the virtual world to the real one. For cyber strategists today, every significant conflict or political event on the planet is a figurative classroom.

Re: Empty playbook and happy days with ab fab fabless 0days

That empty playbook, Jarno, is an unbelievable rich canvas upon which greater shared intelligences paint the future to be provided for media presentation and global realisation, which is actually then much more hypervirtualisation,

And now, a little surfing to see if Aalto University is into supplying such novel future leadership alumni.

And yes, ye olde established power systems are certainly rightly terrified of what even the most simply competent of cybernauts can practically do with virtually nothing and when it is only intelligence which can mentor and monitor their concerns to mitigate and manipulate all that the future holds as IT unfolds it in all of its glory, is that which is needed plainly identified for top gun hire in meaningful engagements/infinitely smarter programs for more enlightened bodies.